DemandFlow's SIEM turns the platform into a log collector, rule engine and alerting hub for the systems you care about. External applications send events in; rules watch for anything worth knowing about; alerts land in a triage queue; and the integration engine routes notifications into Slack or email without extra plumbing.
This article gives the big picture. The remaining articles in this category walk through each activity step by step.
What you can do
- Ingest JSON log events from any external system that can make an HTTPS request.
- Keep events organised by source, with per-source rate limits and lifecycle controls.
- Watch for threshold, pattern-match or absence conditions and raise alerts automatically.
- Triage alerts through a standard workflow (Open, Acknowledged, Investigating, Resolved or False Positive).
- Dispatch notifications to Slack or email through integration flows.
- See silent sources at a glance so you notice when a log stream stops without warning.
- Build dashboards that summarise events, alerts and source health.
How the pieces fit together
Five kinds of record make up the SIEM:
- Log source: one record per external system that sends logs. Holds the name, an immutable source identifier and the ingest API key. Created by an admin in Settings.
- Log event: a single event ingested from a source. Stored separately from normal DemandFlow data so heavy log traffic never slows down the rest of the app.
- Alert rule: a saved condition the system watches for: too many failed logins in five minutes, any event mentioning a forbidden command, a source that has gone quiet.
- Alert: a record created when a rule fires. Carries the rule, the sample events that matched, and follows a triage workflow.
- Integration flow: a reusable pipeline that handles sending a notification. A rule points at a flow, and the flow handles Slack, email or anywhere else.
A typical workflow
- An admin creates a log source and generates its ingest key.
- The source system (a Lambda, an application, a firewall, an agent) posts its events to the ingest endpoint using the key.
- Events appear under the source's Recent Events panel and in the Logs screen.
- You write one or more alert rules for the signals that matter: failed logins, errors per minute, keywords in a message, silent sources.
- When a rule fires, an alert record is created and the linked integration flow sends the notification.
- Whoever is on rota opens the alert, investigates using the linked sample events, and moves it through the triage states.
- The Source health screen and SIEM dashboards give you a running view of what is coming in and what is going quiet.
Access
SIEM features are admin-level functionality. Log source management lives under the Settings screen, which is gated to admins. The Alerts, Alert rules, Logs, Source health and Dashboards screens are in the SIEM section of the main sidebar.
Where to go next
- Start with Setting up a log source and generating an ingest key if you are configuring SIEM for the first time.
- Go to Ingesting logs via the API once a source exists and you need to wire a system up to it.
- Jump to Writing alert rules once events are flowing and you want signals rather than raw logs.